Bug#927424: stretch-pu: package rails/2:4.2.7.1-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes three issues in rails, debdiff below. Passes all regressions tests
and a quick functional test.
Cheers,
Moritz
diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog 2016-08-22 19:33:48.000000000 +0200
+++ rails-4.2.7.1/debian/changelog 2019-04-18 16:51:20.000000000 +0200
@@ -1,3 +1,10 @@
+rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium
+
+ * CVE-2018-16476 (Closes: #914847)
+ * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Thu, 18 Apr 2019 20:48:13 +0200
+
rails (2:4.2.7.1-1) unstable; urgency=medium
* New upstream release; includes fixes for the following issues:
diff -Nru rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch
--- rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 1970-01-01 01:00:00.000000000 +0100
+++ rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 2019-04-18 16:44:58.000000000 +0200
@@ -0,0 +1,47 @@
+From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca@gmail.com>
+Date: Wed, 5 Sep 2018 17:38:09 -0400
+Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
+ Active Job
+
+Trusting any GlobaID object when deserializing jobs can allow
+attackers to access information that should not be accessible to them.
+
+Fix CVE-2018-16476.
+---
+ activejob/lib/active_job/arguments.rb | 2 +-
+ activejob/test/cases/argument_serialization_test.rb | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
+index ecd81f2099..e33ee649cd 100644
+--- a/activejob/lib/active_job/arguments.rb
++++ b/activejob/lib/active_job/arguments.rb
+@@ -75,7 +75,7 @@ module ActiveJob
+ def deserialize_argument(argument)
+ case argument
+ when String
+- GlobalID::Locator.locate(argument) || argument
++ argument
+ when *TYPE_WHITELIST
+ argument
+ when Array
+diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
+index 1f11e916c4..058a828b86 100644
+--- a/activejob/test/cases/argument_serialization_test.rb
++++ b/activejob/test/cases/argument_serialization_test.rb
+@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
+ assert_arguments_roundtrip [@person]
+ end
+
++ test "should keep Global IDs strings as they are" do
++ assert_arguments_roundtrip [@person.to_gid.to_s]
++ end
++
+ test 'should dive deep into arrays and hashes' do
+ assert_arguments_roundtrip [3, [@person]]
+ assert_arguments_roundtrip [{ 'a' => @person }]
+--
+2.18.0
+
diff -Nru rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch
--- rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 1970-01-01 01:00:00.000000000 +0100
+++ rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 2019-04-18 16:45:44.000000000 +0200
@@ -0,0 +1,113 @@
+From 58ed245e80a8710fbe31e91417bfd19f9f934cc4 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Mon, 4 Mar 2019 18:24:51 -0800
+Subject: [PATCH] Only accept formats from registered mime types
+
+[CVE-2019-5418]
+[CVE-2019-5419]
+---
+ .../lib/action_dispatch/http/mime_negotiation.rb | 6 +++++-
+ .../test/controller/mime/respond_to_test.rb | 14 ++++++++------
+ .../new_base/content_negotiation_test.rb | 16 +++++++++++++---
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+index 53a98c5d0a..00fd3d03df 100644
+--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+@@ -61,7 +61,7 @@ module ActionDispatch
+ false
+ end
+
+- if params_readable
++ v = if params_readable
+ Array(Mime[parameters[:format]])
+ elsif use_accept_header && valid_accept_header
+ accepts
+@@ -70,6 +70,10 @@ module ActionDispatch
+ else
+ [Mime::HTML]
+ end
++
++ v.select do |format|
++ format.symbol || format.ref == "*/*"
++ end
+ end
+ end
+
+diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb
+index 66d2fd7716..07ad0085fc 100644
+--- a/actionpack/test/controller/mime/respond_to_test.rb
++++ b/actionpack/test/controller/mime/respond_to_test.rb
+@@ -87,9 +87,9 @@ class RespondToController < ActionController::Base
+
+ def custom_type_handling
+ respond_to do |type|
+- type.html { render :text => "HTML" }
+- type.custom("application/crazy-xml") { render :text => "Crazy XML" }
+- type.all { render :text => "Nothing" }
++ type.html { render text: "HTML" }
++ type.custom("application/fancy-xml") { render text: "Fancy XML" }
++ type.all { render text: "Nothing" }
+ end
+ end
+
+@@ -269,12 +269,14 @@ class RespondToControllerTest < ActionController::TestCase
+ @request.host = "www.example.com"
+ Mime::Type.register_alias("text/html", :iphone)
+ Mime::Type.register("text/x-mobile", :mobile)
++ Mime::Type.register("application/fancy-xml", :fancy_xml)
+ end
+
+ def teardown
+ super
+ Mime::Type.unregister(:iphone)
+ Mime::Type.unregister(:mobile)
++ Mime::Type.unregister(:fancy_xml)
+ end
+
+ def test_html
+@@ -430,10 +432,10 @@ class RespondToControllerTest < ActionController::TestCase
+ end
+
+ def test_custom_types
+- @request.accept = "application/crazy-xml"
++ @request.accept = "application/fancy-xml"
+ get :custom_type_handling
+- assert_equal "application/crazy-xml", @response.content_type
+- assert_equal 'Crazy XML', @response.body
++ assert_equal "application/fancy-xml", @response.content_type
++ assert_equal "Fancy XML", @response.body
+
+ @request.accept = "text/html"
+ get :custom_type_handling
+diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb
+index 5fd5946619..57bf16ac9c 100644
+--- a/actionpack/test/controller/new_base/content_negotiation_test.rb
++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb
+@@ -19,9 +19,19 @@ module ContentNegotiation
+ assert_body "Hello world */*!"
+ end
+
+- test "Not all mimes are converted to symbol" do
+- get "/content_negotiation/basic/all", {}, "HTTP_ACCEPT" => "text/plain, mime/another"
+- assert_body '[:text, "mime/another"]'
++ test "A js or */* Accept header will return HTML" do
++ get "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++ assert_body "Hello world text/html!"
++ end
++
++ test "A js or */* Accept header on xhr will return HTML" do
++ xhr :get, "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++ assert_body "Hello world text/javascript!"
++ end
++
++ test "Unregistered mimes are ignored" do
++ get "/content_negotiation/basic/all", {}, { "HTTP_ACCEPT" => "text/plain, mime/another" }
++ assert_body '[:text]'
+ end
+ end
+ end
+--
+2.21.0
+
diff -Nru rails-4.2.7.1/debian/patches/series rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series 2016-08-22 19:33:48.000000000 +0200
+++ rails-4.2.7.1/debian/patches/series 2019-04-18 16:48:04.000000000 +0200
@@ -2,3 +2,5 @@
0002-load_paths.rb-don-t-load-bundler.patch
0004-ActiveRecord-adjust-test-suite-for-Debian-build.patch
0005-relax-json.patch
+006-CVE-2018-16476.patch
+007-CVE-2019-5418_CVE-2019-5419.patch
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: